It seems that this time is an urgent security update, so it seems to be only NIS.
However, there is an update of price change soon, so NIS, NanoWallet, mobile wallet should be all upgraded.
Is the hash published on the blockchain really a sha256 as the header of the payload indicates?
curl -L -s http://bigalice3.nem.ninja:7890/transaction/get?hash=$(curl -L -s http://bob.nem.ninja/nis-ncc-0.6.91.tgz.sig | grep txId | sed -e 's/txId: //')
{"meta":{"innerHash":{},"id":884431,"hash":{"data":"d162f6921faf566baa6bada85a8effa7a0de0598f4aed0c720192ba24e432c0b"},"height":1185191},"transaction":{"timeStamp":71772403,"amount":0,"signature":"ccb1a876bbc8e4ac2470af043b3a24a447e9b8e7b8fe317e265389bcfb114401a097132b9d9d2ac4b91a10efef2d7c33ddddaa7b3c7fcccb1b7aeaa80527d00d","fee":10000000,"recipient":"NCZSJHLTIMESERVBVKOW6US64YDZG2PFGQCSV23J","type":257,"deadline":71776003,"message":{"payload":"fe4e545903b9724a15f75c4f8fce078fb84fbcf535a5f9465f6b51667e505b9c42a876370a0000626f622e6e656d2e6e696e6a612f696e7374616c6c65722f6e69732d6e63632d302e362e39312e74677a","type":1},"version":1744830465,"signer":"826cedee421ff66e708858c17815fcd831a4bb68e3d8956299334e9e24380ba8"}}
The sha published is 151 characters long, which doesn’t look right for a sha256 which is 256bits long.
This currently blocks the upgrade of nem-docker.
hmm…so need to wait for @gimre to clarify. He will be available on monday.
Apparently the sha256 is followed by the download URL hexencode.
nem-docker has now been updated to this version. To update:
./stop.sh
git pull
./boot.sh
thx, rb2
yes, I remember someone (you?) mentioned it in other thread, but I couldn’t find it.
although apostille format does not defined it, I’ve added two 0 bytes after the hash, and that’s followed by URL without protocol part, so i.e.
fe - hex marker
4e5459 - apostille marker 'NTY' in hex
03 - hash specification, 3 == sha256
e958d17fd0705fa051924a81e8823e8f4689c76ccdd84ffcd4f836a997765373 - hash itself
0000 - two zero bytes
626f622e6e656d2e6e696e6a612f696e7374616c6c65722f6e69732d6e63632d302e362e39312e7a6970 - url
So, do I need to do anything to protect my nem is
MF I use NanoWallet??
This could achieve also the opposite, that people will update slow.
Wouldnt it be more trustworthy if you post the direct code fix.
Depends how fatal the exploit is… for example a exchange or payment processor could compile it by themself and still able use the old version. Otherwise just stop trading.
Decentralization should be slow, it would be not a good sign if 700 nodes switch instant to a new release(not vetted).
hello everybody, someone can tell with me how much NEM i earn per day if have 10000 NEM for harvesting? thank!
If you just use Nano Wallet the update is not relevant for you
did we ever release a version that has not been tested?
Even if you could proof all the test cases you did run. What does this has to do with the upgrading process itself?
Just imagine bitcoin core would say to upgrade to 15.0.0 with following context.
“We’ll reveal the details, once most of the nodes will be updated”
Most of the network would think they are out of their mind.
For example the Bitshares network didnt produce any new blocks since yesterday.
They released a statement with the fixed code and a timeline whats happening.
In my opinion this is a better process.
and that is great advantage we have over bitcoin… my personal opinion is that bitcoin miners are blocking development of bitcoin. it’s not the miners that should DECIDE what features may or may not enter the chain, it should be USERS.
I think that’s the situation we have. If users wouldn’t trust us, they simply would not update.
As stated, it’s a security release, and we decided not to share the details upfront, not to put everyone at risk.
The only fix I see is a version increment. Shouldn’t I rebuild from source?
I have tried to update 0.6.91, but have not successed.
I copied jar files from package/ncc, nis, console, mon, and reboot.
But node/info said
{“timeStamp”:71976891,“error”:“Service Unavailable”,“message”:“NIS_ILLEGAL_STATE_LOADING_CHAIN”,“status”:503}
and after a while,
{“metaData”:{“features”:1,“application”:null,“networkId”:104,“version”:“0.6.87-BETA”,“platform”:“Oracle Corporation (1.8.0_121) on Linux”},“endpoint”:{“protocol”:“http”,“port”:7890,“host”:“xxx.xxx.xxx.xx”},“identity”:{“name”:“xxxxx”,“public-key”:“xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx”}}
Could anyone tell me what I should do ?
well the node was loading the chain and while doing so it doesn not answer to any request.
looks good, nothing wrong.
Be happy
Thank you for reply.
I worry that node/info says “version”:“0.6.87-BETA”, this is not ,“version”:“0.6.91-BETA”,
Do I have any mistake ?
oh, i didn’t see that. Indeed that is a bad sign ^^
You probably forgot to delete the old jars?
Yes, I remain the old jars. In case of 0.6.87 update, the old jars were no problem.
Is it bad ? Should I delete those ?
yes, delete the old jars because else those will be used.